Two-Step Login expands to MAUI, ICON, and MyUI

The University of Iowa has expanded Two-Step Login to web-based applications, including MAUI, ICON, and MyUI, and campus cyber-security experts advise all UI faculty, staff, and students to enable the feature for these applications.

Two-Step Login makes it harder for unauthorized users to access accounts using stolen HawkID usernames and passwords. It uses a method called two-factor authentication that’s increasingly common among consumer web services like Google and Facebook.

“Two-Step Login requires both something you know—your HawkID and password—and something only you possess, usually a mobile phone,” says Jane Drews, UI chief information security officer. “It’s an effective way to ensure that it’s really you logging into your account.”

Two-Step Login basics

In February, the UI began requiring Two-Step Login for faculty and staff accessing the university’s Employee Self Service website. In May, the service expanded to MAUI, ICON, and MyUI—academic applications that manage sensitive student information and course tools.

Right now, the expanded service options are available for all users on an opt-in basis. In October, faculty and staff will be required to use Two-Step Login when accessing MAUI.

Discussions are still underway to determine whether faculty and staff will be required to use Two-Step Login with ICON starting this fall or whether they will be able to opt out. Students are strongly encouraged to enable the feature for their logins to both ICON and MyUI.

Two-Step Login works like this:

Step one: Users enter their HawkIDs and passwords and choose a second-step method.

Step two: Users approve a push notification to a mobile device, answer a phone call, or enter a pass code generated for them to complete their logins.

With the recommended Duo push notification method, users complete their logins by tapping an “approve” button in the app. Duo Mobile is free, and enrolling a phone or other device takes only a few minutes.

Better security in the classroom

The Two-Step Login expansion follows a recent discovery that devices attached to classroom computers had surreptitiously recorded hundreds of HawkIDs and passwords.

Requiring Two-Step Login for the most sensitive academic applications and recommending its use across the board balances cyber-security best practices with user convenience.

“We need to take special care in protecting student and academic data,” Drews says. “At the same time, we need to establish security procedures that don’t intrude on teaching.”

Virtually all faculty and staff are already using Two-Step Login for Employee Self Service. They’ll use the same process to access MAUI and ICON, whether from the office, from home, or in the classroom.

Recognizing that not all instructors have mobile phones or take them to class, the university is offering key fob token devices that generate one-time pass codes.

Other classroom and application security improvements include better physical protections for classroom computers and enhancing ICON resources to flag important changes to instructors.

Student options

Students can choose to use Two-Step Login with ICON and MyUI. Though it’s not required, Drews would like to see every student adopt the practice.

“Many students are used to this feature from Facebook, Gmail, and other services,” Drews says. “We encourage them to take just as much care with their academic info as they do with their private email and social media accounts.”

Like all other users, students begin by downloading the free Duo Mobile app. Next, they use a computer attached to the campus network (not the attwifi network open to campus visitors) to create their Two-Step Login account profile and enroll their Two-Step device. Off-campus users should call the ITS Help Desk at 319-384-4357 to enroll.